EXCERPT: Cybercriminals are catching up to nation-states' hacking capabilities, and it's making attribution more difficult, the National Security Council's senior director for cybersecurity policy said Thursday. “They're not five years behind nation-states anymore, because the tools have become more ubiquitous,'' said Grant Schneider, who also holds the title of federal CISO, at the Security Through Innovation Summit presented by McAfee and produced by CyberScoop and FedScoop. Schneider told CyberScoop that he thinks the implants cybercriminals are using in their cyberattacks have been improving. “The actual sophistication of the tool is better with criminals than we saw in the past.'' Steve Grobman, the chief technology officer for McAfee, told CyberScoop that advanced crooks are behaving more corporately, which means they are able to proliferate higher-quality hacking tools. “One of the things we're seeing on the business-model side is cybercriminals are starting to use innovative processes like franchises -- affiliate groups where a cybercriminal will develop technology [and] make it available to other cybercriminals,'' he said... https://www.cyberscoop.com/cybercriminals-nation-state-tools-grant-schneider/
<https://www.cnbc.com/2019/04/26/cryptocurrency-bitcoin-price-falls-on-ny-ag-bitfinex-probe.html?__source=iosappshare%7Ccom.apple.UIKit.activity.Mail What could go wrong?<https://itunes.apple.com/us/app/cnbc/id398018310
https://chicago.cbslocal.com/2019/04/18/chicago-department-of-aviation-phishing-scam/ The City of Chicago's Department of Aviation thought it was paying an approved vendor more than $1 million for services earlier this year. [...] According to a police report recently obtained by The 2 Investigators, the Department of Aviation received an email Jan. 24 from what appeared to be a city-approved vendor, Skyline Management. The company has been paid more than a quarter of a billion dollars ”- $284,628,921.17 -“ for custodial services at Midway International Airport and O'Hare International Airport since 2008, city documents show. The email requested that Skyline's account payable information be changed from US Bank to Wells Fargo Bank. The request was referred to the city comptroller's office to make the change, which is routine procedure, according to the report. The change was made, and less than a month later, the city paid the updated account $1,150,759.82 for services. But in a call to the Department of Aviation weeks later, Skyline Management stated they had not received a payment for their services. That's when the discovery was made: Skyline never requested an account change.
Unfortunately, there's not much you can do to protect existing machines. "You need to replace critical servers," Knight said, adding that you will also need to determine what your critical data is and where it's running. ... Knight added that the only way for most companies to avoid the problem is to move their critical data and processes to the cloud, if only because cloud service providers can better protect against this kind of hardware attack. "It's time to transfer the risk," she said. And Knight warned that, at the speed things are moving, there's little time to protect your critical data. "This is going to get turned into a worm," she predicted. "It will become some sort of self-propagating worm." It's the future of cyberwarfare, Knight said. It won't stay the purview of state-sponsored actors forever. https://www.pcmag.com/article/367947/invisible-malware-is-here-and-your-security-software-cant-c [sic! if that does note work, browse on the subject line. PGN] Of course—replace all servers AND move everything critical to cloud. Easy solutions...
If there's an anomaly in power consumption for your device or embedded system it could be infected with malware. https://www.sciencedaily.com/releases/2019/04/190425115621.htm It's a variation of the long-standing change detection (or "integrity" monitoring) type of malware detection. I suspect it has a ways to go, but it is an interesting idea ...
Akuthota admitted that on February 14, 2019, he inserted a "USB Killer" device into 66 computers, as well as numerous computer monitors and computer-enhanced podiums, owned by the college in Albany. The "USB Killer" device, when inserted into a computer's USB port, sends a command causing the computer's on-board capacitors to rapidly charge and then discharge repeatedly, thereby overloading and physically destroying the computer's USB port and electrical system. [DOJ press release] https://www.justice.gov/usao-ndny/pr/former-student-pleads-guilty-destroying-computers-college-st-rose
Your bitcoin wallet may not be as secure as you think it is ... A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/ ... researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether -- worth at one point more than $50 million—using ... key-guessing tricks. ... the odds of guessing a randomly generated Ethereum private key is 1 in 115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator is very roughly around the number of atoms in the universe. ... But as he looked at the Ethereum blockchain, Bednarek could see evidence that some people had stored ether at vastly simpler, more easily guessable keys. The mistake was probably the result, he says, of Ethereum wallets that cut off keys at just a fraction of their intended length due to coding errors, or let inexperienced users choose their own keys, or even that included malicious code, corrupting the randomization process to make keys easy to guess for the wallet's developer.
It isn't exactly Y2K, but the country is scrambling to reconcile its systems with the ancient demands of an imperial calendar. https://www.nytimes.com/2019/04/23/business/japan-reiwa-calendar.html
https://www.straitstimes.com/asia/japan-develops-app-that-yells-stop-to-scare-off-molesters "The Metropolitan Police Department in Tokyo has developed a free smartphone app that can help scare off would-be molesters as well as activate a security alarm. Dubbed the Digi Police, the app has been downloaded more than 220,000 times so far. A smartphone voice would shout `stop!' when a Digi Police user activates one of the app's functions to stymie molesters." Risks: Accidental/unintentional invocation, malicious activation to dilute/distract police resources. No backup if you have a sore throat and a flat battery.
In the beginning was the 9/11. (Well, actually, in the beginning was the first crypto war, back in the 90s, but ...) And the government said, let there be the PATRIOT Act (Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). And there was all kinds of warrantless activity. And the government said, let there be warrantless collection of data about international (and some local) emails and phone calls. And there was bulk metadata collection, and metadata became a new "thing." And ever since, the NSA has been collecting huge amounts of data, most of which doesn't indicate much of anything. Remember cost/benefit analysis? Well, now the NSA wants to stop doing it. Or, at least, stop doing most of it. Because it's just not worth it. https://nakedsecurity.sophos.com/2019/04/26/nsa-asks-to-end-mass-phone-surveillance or https://is.gd/y8oyyj Lots of things in security sound like maybe a good idea--until you try them. I well remember the trouble Fred Cohen got into when he started teaching his security students how to write viruses, as an exercise in trying to improve security. He doesn't do that any more. His students just didn't learn that much from it. It's not worth it. (Oh, and remember: if you're not doing anything wrong, you have nothing to fear from the gigantic surveillance apparatus that the government is hiding from you ...)
https://www.straitstimes.com/tech/dont-get-phished Singapore's government estimates business phishing losses (via e-mail impersonation, business email compromise) @ ~S$ 43M in 2017; that's ~US$ 32M (@ 1.35 SGD/USD). Using a simple population ratio (SG: 5.5M; US: 330M), equivalent US business phishing loss estimates rise to 330M/5.5M * US$32M =~ US$ 1.9B. A similar computation, based on GDP (SG: US$ 0.33T; US: US$ 19.5T), estimates phishing losses US$ 19.5T/US$ 0.33T * US$ 32M = 59 * US$ 32M =~ US$ 19B. See 2017 GDP estimates: https://countryeconomy.com/countries/[singapore,usa Forbes concludes US business losses @ ~US$ 500M per year. https://www.forbes.com/sites/leemathews/2017/05/05/phishing-scams-cost-american-businesses-half-a-billion-dollars-a-year/ The FBI investigated ~22,000 business email compromise (BEC) scams between OCT2013-DEC2016. So, the population scaling method appears to be more realistic than the GDP scaling approach. Out of curiosity, I looked up the US Justice Department budget for 2017: US$ 28.7B (https://www.justice.gov/jmd/file/821916/download). With email scams exploding, and human frailties being what they are, it appears that ~10% of the Justice Department's budget (at 2017 funding levels) will be consumed by BEC investigations in the near future. Whew!
The risk here is that if you brag about your marvelous UX, some mean people may make fun of you when you fail badly. ("Gene" rhymes with "mean" in case you were wondering.) This article is sadly hilarious or hilariously sad or something. Enjoy. Evan Schuman, Computerworld https://www.computerworld.com/article/3390149/why-ive-learned-to-hate-my-apple-watch.html In a perfect world, the Apple Watch Series 4 could be great. With a few easy settings, a glance at the watch would deliver time, temperature, the dial-in details for your next appointment or many other things that would be helpful. But we don't live in a perfect world.
“I cannot open i-dressup. Its showing SQL ERROR...why?? I am scared'' https://www.theverge.com/2019/4/27/18518619/i-dress-up-virtual-website-ftc-data-breach
https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html Over the past year, Apple has removed or restricted at least 11 of the 17 most downloaded screen-time and parental-control apps, according to an analysis by *The New York Times* and Sensor Tower, an app-data firm. Apple has also clamped down on a number of lesser-known apps. In some cases, Apple forced companies to remove features that allowed parents to control their children's devices or that blocked children's access to certain apps and adult content. In other cases, it simply pulled the apps from its App Store. Some app makers with thousands of paying customers have shut down. Most others say their futures are in jeopardy. Chronic iDisorder (see http://catless.ncl.ac.uk/Risks/30/89#subj18.1) depends on eyeballs hooked by a content-enabled, continuous dopamine flow. Periodic reminders from an app to "put the device down for 15 minutes" can disrupt the dopamine flow. Dam the dopamine flow, and content-driven revenue capture is dammed along with it. Apple's AppStore dams disruptive apps with impunity.
https://www.telegraph.co.uk/news/2019/04/27/marathon-runners-warned-fitness-trackers-inaccurately-measuring "Our tests have found a number of models from big-name brands that can't be trusted when it comes to measuring distance, so before you buy, make sure you do your research to find a model that you can rely on." The article identifies GPS-unequipped fitness tracker measurement variances of between ~25-50% over/under a full marathon (~26.2 miles/42.2 km).
https://www.washingtonpost.com/technology/2019/04/24/australia-hacked-lime-scooters-spew-racism-profanity "The video is straight out of a goofy, low budget horror movie: A row of bright-green Lime scooters, parked neatly on a sidewalk, have come to life, unleashing a filthy flush of human speech." "In a statement online, the researchers said a potential hacker—using a Bluetooth-enabled app from nearly 330 feet away—could lock a scooter, deploy malware that could take full control of a device or target an individual rider, causing their scooter to unexpectedly brake or accelerate." A "Red Asphalt" warning label, in addition to a helmet, should be mandatory. They are not your father's Cyclops scooter.
OK, this seems weird, like the hapless bank robbers who smear lemon juice on the faces because they think CCTV won't be able to see them. But a new paper, examining artificial intelligence and vision systems, has found a way to generate images (or "patches") that prevent AI vision systems from "seeing" you: or, at least, identifying you as a person. https://arxiv.org/pdf/1904.08653.pdf And so, a new round of patch image generation, and patch image detection and avoidance, begins ...
Gregory Travis published an article on the involvement of the MCAS software on Boeing 737 MAX aircraft in two recent crashed, on 2019-04-18 in IEEE Spectrum. The article is available at https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer (site registration is required). [See Jacobson and my comment on Koenig, the next two items. PGN] The article has recently been praised by Bruce Schneier in his Crypto-Gram newsletter and blog https://www.schneier.com/blog/archives/2019/04/excellent_analy.html and John Naughton in The Observer newspaper (in "What I'm reading" at https://www.theguardian.com/commentisfree/2019/apr/28/google-street-view-calculate-car-accident-risks-digital-tech). Travis has written a readable, but unfortunately technically misleading, article on the accidents to Boeing 737 MAX 8 aircraft and the involvement of the MCAS software in those accidents. The purpose of this note is solely to point out some technically misleading parts of Travis's article and correct them. Travis suggests that MCAS was devised to inhibit a tendency to stall in certain flight regimes. As far as I know, this is incorrect. Boeing has said in public that MCAS is not `anti-stall SW'. For example, Flight International's test pilot Mike Gerzanics operates the type for a `major carrier' and says in his very first sentence of an article on the preliminary report of the Ethiopian crash to ET-302. “the 737 Max family's Maneuvering Characteristics Augmentation System (MCAS) is not a `stall-prevention' or `safety' feature. https://www.flightglobal.com/news/articles/opinion-et302-interim-report-raises-more-questions-457369/ I understand the situation as follows. MCAS was devised to fulfill an airworthiness certification condition in 14 CFR 25.173 and 14 CFR 25.175. In high angle-of-attack (AoA) flight configuration, it is required that stick force/g (the stick force necessary to produce (hold) an incremental normal acceleration of 1g) and stick movement/g (ditto mutatis mutandis) must increase (or at least not decrease) with an increase in AoA. I understand that in flight test, in which `wind-up turns' were conducted (a turn with increasing angle of bank; an increasing angle of bank means ceteris paribus increasing AoA), this condition was not fulfilled. MCAS was devised to ensure its fulfillment. The reason this characteristic is different in this flight regime from previous 737 models apparently concerns the engine nacelles, which produce lift at high AoA, and apparently the lift they produce as AoA increases means that the stick force/g decreases. Travis suggests that the geometry of the engines means there is a greater tendency for the 737 MAX to pitch up on power application than on previous versions of the 737. I haven't seen a good argument that this is the case. Indeed, there is reason to think it might well be lower than on previous 737 models. The `pitch up' is related to the torque generated about the centre of lift (on the underside of the wing) by the engines. The centerline of the engines is, I think, closer to the underside of the wing than it was in previous models (I don't have a figure), so the `lever arm' (technical term) from the centre of thrust to the centre of lift (on the wing) may well be reduced. Engines of the previous generation of 737 were the CFM 56-7 series, which had 89-120kN of thrust, depending on the precise model. The CFM LEAP-1B engines on the MAX have 130kN of thrust https://en.wikipedia.org/wiki/Boeing_737 . 120kN to 130kN is not a big increase - the shorter lever arm may well make the pitch-up torque less than it was on previous models with 120kN-thrust engines during power increase (Travis: `propensity to pitch up with power application'). Travis connects this `propensity' with a `tendency to stall'; this `tendency' might in fact be reduced on the 737 MAX. Travis says the `nacelles cause the 737 Max at a high angle of attack to go to a higher angle of attack'. As far as I know, this is not the case. He is correct to call such a phenomenon `dynamic instability' but the 737 MAX, like all other passenger transports, is not dynamically unstable. It is dynamically stable. Travis suggests that MCAS is `a cheap way to prevent a stall when the pilots punch it'. This is manifestly not the intended purpose of MCAS. Travis also suggests that in modern transport aircraft there often are “no actual mechanical connections' between control-command systems available to the pilots and the control surfaces. In the 737, all such connections are mechanical—cables and hydraulics—with the exception of the spoilers. http://www.b737.org.uk/max-spoilers.htm This argument is here a red herring. Travis suggests AoA sensors are unreliable: `..particular angle of attack sensor goes haywire—which happens all the time'. It does not happen `all the time', or even very often. Peter Lemme writes `Reliability of the AoA sensor was evaluated over a 4-6 year period, with a mean time between unscheduled removals was 93,000 hours. A typical airframe is modeled at about 100,000 hours, so the AoA vane typically last nearly the lifetime of the airplane.'' https://www.satcom.guru/2019/03/aoa-vane-must-have-failed-boeing-fix.html Travis writes that there are `...several other instruments that can be used to determine things like angle of attack. such as the pitot tubes, the artificial horizons, etc.'' I don't see how pitot tubes can be used to sense AoA. Pitot tubes measure dynamic air pressure, which, along with static ports to measure static air pressure, are used to determine airspeed (usually so-called `indicated airspeed', IAS). When the pitot is not directly in line with the flow of air around the aircraft, say when the aircraft is at a high AoA, then errors can be induced into IAS; AoA acts rather as a corrective input to pitot/static sensing, rather than the other way around. Artificial horizons are display instruments, not sensors; I see no way they can be used to sense AoA. One astonishing misleading statement from Travis reads as follows: “In a pinch, a human pilot could just look out the window to confirm, visually and directly, that, no, the aircraft is not pitched up dangerously. That is the ultimate check.'' No, it is not the `ultimate check'. Travis seems to be confusing AoA with pitch angle/attitude. This is something which pilots from the beginning of their training are expressly taught not to do. The reason for this early emphasis on not confusing pitch angle with AoA is as follows. There are still too many general aviation accidents in the landing pattern, often when pilots are turning on to their final approach, lined up with the runway, from `base leg', which is at right angles to final. Pilots can misjudge the turn and `overshoot', that is, reach their line up to the left of the runway centreline (when flying base from the right of the runway), resp. right of the centreline (when flying base from the left). Pilots seeing they might overshoot are tempted to turn more steeply, which increases AoA and can lead to a stall. Recovering from a stall, especially an unanticipated stall, often takes more altitude than the airplane has when turning base-to-final; and the airplane augurs in. It still happens. Travis writes “It is astounding that no one who wrote the MCAS software for the 737 Max seems even to have raised the possibility of using multiple inputs.'' Quite why he thinks this is any responsibility of the software engineers is unclear. It is not. It is the responsibility of the control engineers who designed the system and the safety engineers who performed the safety analysis. The safety engineers will have performed a Failure Mode and Effects Analysis, FMEA, which consists in listing all the possible failures you can think of, and determining their effects on the flight situation. They will then have classified those effects according to their severity as none, minor, major, hazardous and catastrophic (these all have explicit definitions). According to unverified information I received from a usual ly-reliable source, the effect was classified as `major' in level flight and `hazardous' in turns. We now know after two accidents in level flight that this classification, if so, is inappropriate. A further issue, to which I do not know the answer, is whether the analysis was performed on the STS system as a whole, or MCAS separately. The manufacturer and regulator classify MCAS as a function of the STS: “Pitch stability augmentation is provided by the MCAS function of STS'', FAA Flight Standardisation Board Report Draft 17. https://www.faa.gov/aircraft/draft_docs/media/afx/FSBR_B737_Rev17_draft.pdf This is all specialist analysis which is generally not performed by software engineers (although the best software engineers are aware of how to perform such analyses). Nothing follows from this that software engineering was somehow responsible for the outcome. In this context, Travis repeats his assertion that the Boeing 737 MAX is `dynamically unstable'. It is not. I don't think any dynamically unstable aircraft could be certified according to 14 CFR 25. As an aside, Travis suggests that "the Lycoming O-360 engine in my Cessna has pistons the size of dinner plates". The cylinder bore for 0-360 engines (I flew one for 12 years) is 13cm. My dinner plates (small) have a diameter of 21cm. My espresso saucers are 12.5 cm. I commend Travis's nourishment discipline at dinner, but suggest it does not easily generalise.
MS> https://spectrum.ieee.org/ Hmmm, requires a (free) account. Maybe I can find another version... Wait, what's this, https://nicolas-hoizey.com/2019/04/how-the-boeing-737-max-disaster-looks-to-a-software-developer.html Experienced plane pilot and software developer Gregory Travis explains in details what led to Boeing 737 Max recent disasters in this long article: How the Boeing 737 Max Disaster Looks to a Software Developer. Why do I even care? My family and I were in one of these Ethiopian Airlines' Boeing 737 Max just two weeks before the crash of flight 302, on the same flight from Addis Ababa to Nairobi! The one that crashed was registered ET-AVJ. The one we took was registered ET-AVI. Very close. I guess both have had the very same hardware and software. It gives me chills every time I think about it...
The article in question consisted of a single URL. Following the URL, one is asked to register an account. The RISK? Paying for content with your data is a bad habit, for reasons that most people on this list, including its moderator, should know fully well. Please do not contribute to this by posting such articles. [In most cases you can find a mirrored free copy. Having the title is often sufficient. PGN]
Coincidentally the following news story appeared on the BBC today: https://www.bbc.co.uk/news/education-48037122 Personally, I think that death by starvation is an excessive punishment for missing an appointment and getting your benefits sanctioned. So I would consider "not allowing people to starve to death" to be a good argument that food should be issued to the populace free of charge.
For those who still think that competition improves heathcare, consider the drug naloxone hydrochloride. This is sold by five big pharmaceutical companies and demand is soaring, but far from driving the price down, the cost has soared: from $0.92 a dose ten years ago up to $15.00 a dose. Why is this? Google "Opioid Crisis" for the answer. Drug companies in the US spend tens of billions a year advertising drugs: how does this help anyone's health? The USA has some of the highest levels of anxiety and depression in the world: not surprising when you consider that the purpose of advertising is to make people more anxious and unhappy. Naturally, the drug companies are ready with a handful of pills to relieve the anxiety: followed by another handful to alleviate the side-effects from the first lot! A happy, contented population would be terrible for the drug companies bottom line: so must be averted at all costs. Attempts to introduce competition into the NHS have been a disaster and, rightly, resisted by the public. How do you choose the people who are passionate about caring for others? Fortunately, they are largely self-selecting: you set up an organisation whose explicit purpose and top priority is caring for others. Pay enough for a comfortable living, but not so much that you attract those who are "just in it for the money". Beyond that, it is a case of trying to create a society as a whole in which caring for others is viewed as a noble passion, and not despised and excoriated as "Socialism".
Instead of mocking such efforts you could recognise that prior to the crime of leaving the shop with goods not paid for there could have been preparation (perhaps conspiracy but not actual theft). example video: https://www.youtube.com/watch?v=OGcYFG7WzaY
> you might think it clever to release it in a difficult format, like an > unsearchable PDF. It's possible this was the motivation. It's also possible that they wanted to be REALLY sure that they didn't fall prey to the well-known RISK of PDFs that aren't really redacted. RISKS-22.97 has an account of the DOJ themselves falling prey to this issue.
>>>>> "MS" == Monty Solomon <firstname.lastname@example.org> writes: MS> https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-flaw-in-april-update You mean https://www.nytimes.com/2019/04/18/world/americas/amazon-domain-name.html
http://catless.ncl.ac.uk/Risks/31/20#subj5 Resubmitting original post. Visible text omitted comparison between Li-Air Battery and TNT energy density. The energy density of a Lithium storage battery, per https://en.wikipedia.org/wiki/Lithium_air_battery In the same table, TNT (https://en.wikipedia.org/wiki/Trinitrotoluene is 4.1 MJ/kg. More than 2X!
Juggling chainsaws is perfectly safe if you are a highly skilled juggler and you know exactly what you are doing and can control the surrounding environment. But wouldn't it be better if you could use a programming language which did *not* force you to juggle chainsaws?
C does not force anyone to use strcpy() etc., it had always provided also similar length-limiting functions strncpy() etc. Besides, C is a language which lets the programmer control every bit of the machine, while also demanding that the programmer knows exactly what s/he's doing (and providing a lot of opportunity for shooting oneself in the foot). So strcpy() is provided for instances where a programmer is sure that any possible string given as a source, would never overflow the one given as destination. Keep in mind that C was invented at a time when saving 2-3 assembly instructions on every iteration of the copy loop, was considered a significant improvement!
There is a simple fix to this particular problem: the "competent authority" has to be a named person who signs an affidavit under penalty of perjury that they have personally reviewed the request and that every web page that they demand to be taken down does indeed contain "terrorist" content. So if, as in this case, they demand the takedown of the entire Project Gutenberg archive, it would be sufficient to find a single file in the archive that is not "terrorist content" (perhaps ebook number 3651 which the one listing the square root of four to one million decimal places), and the "competent authority" will be on their way to jail.
I use an expensive (allegedly) truck GPS at work. It allegedly knows my vehicle is 6'10" wide. So why does it seem to prefer width restrictions (typically 6'6") and country lanes? My guess is that while Google has a lot of live data and prefers roads it knows are flowing, the expensive sat-navs rely on national speed limits. So rather than picking a road where the traffic is flowing at 50mph, it would rather pick a country lane where there is no speed limit. The assumption is that the National Speed Limit is 60mph (it isn't, it's 50mph for a light van on a single-carriageway road), and that I can actually *do* that speed - I daren't, many of these roads are not merely single-carriageway but single track, sunken, with blind bends, and anything much over 20mph is foolhardy. I think Gene should be blaming the expensive GPS's, not the cheap ones! Many of my colleagues use Google Maps or Waze because they're so much better.
Please report problems with the web pages to the maintainer